Headline
CVE-2023-2943: bug fix (#6079) · openemr/openemr@c1c0805
Code Injection in GitHub repository openemr/openemr prior to 7.0.1.
Expand Up @@ -43,7 +43,7 @@ require_once(“$srcdir/forms.inc.php”); require_once(“$srcdir/appointments.inc.php”);
use OpenEMR\Core\Header; use OpenEMR\Services\AppointmentService;
// Things that might be passed by our opener. // Expand All @@ -64,6 +64,24 @@ exit(); }
if (!empty($_POST[‘form_pid’])) { if ($_POST[‘form_pid’] != $_SESSION[‘pid’]) { echo js_escape(“error”); exit(); }
if (! getAvailableSlots($_POST[‘form_date’], date(‘Y-m-d’, strtotime("+1 year " . $_POST[‘form_date’])), $_POST[‘form_provider_ae’])) { echo js_escape(“error”); exit(); }
$appointment_service = (new AppointmentService())->getOneCalendarCategory($_POST[‘form_category’]); if (($_POST[‘form_duration’] * 60) != ($appointment_service[0][‘pc_duration’])) { echo js_escape(“error”); exit(); } }
if ($date) { $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6); } else { Expand Down Expand Up @@ -135,7 +153,7 @@ $event_date = fixDate($_POST[‘form_date’]);
// Compute start and end time strings to be saved. if ($_POST[‘form_allday’]) { if ($_POST[‘form_allday’] ?? null) { $tmph = 0; $tmpm = 0; $duration = 24 * 60; Expand Down Expand Up @@ -165,7 +183,7 @@
// More garbage, but this time 1 character of it is used to save the // repeat type. if ($_POST[‘form_repeat’]) { if ($_POST[‘form_repeat’] ?? null) { $recurrspec = ‘a:5:{’ . ‘s:17:"event_repeat_freq";s:1:"’ . $_POST[‘form_repeat_freq’] . ‘";’ . ‘s:22:"event_repeat_freq_type";s:1:"’ . $_POST[‘form_repeat_type’] . ‘";’ . Expand All @@ -185,7 +203,7 @@ //for example monday, or thursday. We set the start date on the first day of the week //that the event is scheduled. For example if you set the event to repeat on each monday //the start date of the event will be set on the first monday after the day the event is scheduled if ($_POST[‘form_repeat_type’] == 5) { if (($_POST[‘form_repeat_type’] ?? null) == 5) { $exploded_date = explode("-", $event_date); $edate = date("D", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2], $exploded_date[0])); if ($edate == “Tue”) { Expand All @@ -201,7 +219,7 @@ } elseif ($edate == “Sun”) { $event_date = date("Y-m-d", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2] + 1, $exploded_date[0])); } } elseif ($_POST[‘form_repeat_type’] == 6) { } elseif (($_POST[‘form_repeat_type’] ?? null) == 6) { $exploded_date = explode("-", $event_date); $edate = date("D", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2], $exploded_date[0])); if ($edate == “Wed”) { Expand All @@ -217,7 +235,7 @@ } elseif ($edate == “Mon”) { $event_date = date("Y-m-d", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2] + 1, $exploded_date[0])); } } elseif ($_POST[‘form_repeat_type’] == 7) { } elseif (($_POST[‘form_repeat_type’] ?? null) == 7) { $exploded_date = explode("-", $event_date); $edate = date("D", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2], $exploded_date[0])); if ($edate == “Thu”) { Expand All @@ -233,7 +251,7 @@ } elseif ($edate == “Tue”) { $event_date = date("Y-m-d", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2] + 1, $exploded_date[0])); } } elseif ($_POST[‘form_repeat_type’] == 8) { } elseif (($_POST[‘form_repeat_type’] ?? null) == 8) { $exploded_date = explode("-", $event_date); $edate = date("D", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2], $exploded_date[0])); if ($edate == “Fri”) { Expand All @@ -249,7 +267,7 @@ } elseif ($edate == “Wed”) { $event_date = date("Y-m-d", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2] + 1, $exploded_date[0])); } } elseif ($_POST[‘form_repeat_type’] == 9) { } elseif (($_POST[‘form_repeat_type’] ?? null) == 9) { $exploded_date = explode("-", $event_date); $edate = date("D", mktime(0, 0, 0, $exploded_date[1], $exploded_date[2], $exploded_date[0])); if ($edate == “Sat”) { Expand Down Expand Up @@ -305,7 +323,7 @@ “’” . add_escape_custom($_POST[‘form_category’]) . "’, " . “’” . add_escape_custom($row[‘pc_multiple’]) . "’, " . “’” . add_escape_custom($to_be_inserted) . "’, " . “’” . add_escape_custom($_POST[‘form_pid’]) . "’, " . “’” . add_escape_custom($_SESSION[‘pid’]) . "’, " . “’” . add_escape_custom($_POST[‘form_title’]) . "’, " . "NOW(), " . “’” . add_escape_custom($_POST[‘form_comments’]) . "’, " . Expand All @@ -332,7 +350,7 @@ foreach ($_POST[‘form_provider_ae’] as $provider) { sqlStatement("UPDATE openemr_postcalendar_events SET " . “pc_catid = '” . add_escape_custom($_POST[‘form_category’]) . "’, " . “pc_pid = '” . add_escape_custom($_POST[‘form_pid’]) . "’, " . “pc_pid = '” . add_escape_custom($_SESSION[‘pid’]) . "’, " . “pc_title = '” . add_escape_custom($_POST[‘form_title’]) . "’, " . "pc_time = NOW(), " . “pc_hometext = '” . add_escape_custom($_POST[‘form_comments’]) . "’, " . Expand Down Expand Up @@ -365,22 +383,22 @@ sqlStatement("UPDATE openemr_postcalendar_events SET " . “pc_catid = '” . add_escape_custom($_POST[‘form_category’]) . "’, " . “pc_aid = '” . add_escape_custom($prov) . "’, " . “pc_pid = '” . add_escape_custom($_POST[‘form_pid’]) . "’, " . “pc_pid = '” . add_escape_custom($_SESSION[‘pid’]) . "’, " . “pc_title = '” . add_escape_custom($_POST[‘form_title’]) . "’, " . "pc_time = NOW(), " . “pc_hometext = '” . add_escape_custom($_POST[‘form_comments’]) . "’, " . “pc_informant = '” . add_escape_custom($_SESSION[‘providerId’]) . "’, " . “pc_eventDate = '” . add_escape_custom($event_date) . "’, " . “pc_endDate = '” . add_escape_custom(fixDate($_POST[‘form_enddate’])) . "’, " . “pc_endDate = '” . add_escape_custom(fixDate($_POST[‘form_enddate’] ?? ‘’)) . "’, " . “pc_duration = '” . add_escape_custom(($duration * 60)) . "’, " . “pc_recurrtype = '” . ($_POST[‘form_repeat’] ? ‘1’ : ‘0’) . "’, " . “pc_recurrtype = '” . (($_POST[‘form_repeat’] ?? null) ? ‘1’ : ‘0’) . "’, " . “pc_recurrspec = '” . add_escape_custom($recurrspec) . "’, " . “pc_startTime = '” . add_escape_custom($starttime) . "’, " . “pc_endTime = '” . add_escape_custom($endtime) . "’, " . “pc_alldayevent = '” . add_escape_custom($_POST[‘form_allday’]) . "’, " . “pc_alldayevent = '” . add_escape_custom(($_POST[‘form_allday’] ?? ‘’)) . "’, " . “pc_apptstatus = '” . add_escape_custom($_POST[‘form_apptstatus’]) . "’, " . “pc_prefcatid = '” . add_escape_custom($_POST[‘form_prefcat’]) . "’, " . “pc_facility = '” . (int)$_POST[‘facility’] . "’ " . // FF stuff “pc_prefcatid = '” . add_escape_custom(($_POST[‘form_prefcat’] ?? ‘’)) . "’, " . “pc_facility = '” . (int)($_POST[‘facility’] ?? null) . "’ " . // FF stuff “WHERE pc_eid = '” . add_escape_custom($eid) . “’”); }
Expand Down Expand Up @@ -416,7 +434,7 @@ “’” . add_escape_custom($_POST[‘form_category’]) . "’, " . “’” . add_escape_custom($new_multiple_value) . "’, " . “’” . add_escape_custom($provider) . "’, " . “’” . add_escape_custom($_POST[‘form_pid’]) . "’, " . “’” . add_escape_custom($_SESSION[‘pid’]) . "’, " . “’” . add_escape_custom($_POST[‘form_title’]) . "’, " . "NOW(), " . “’” . add_escape_custom($_POST[‘form_comments’]) . "’, " . Expand Down Expand Up @@ -446,24 +464,24 @@ ") VALUES ( " . “’” . add_escape_custom($_POST[‘form_category’]) . "’, " . “’” . add_escape_custom($_POST[‘form_provider_ae’]) . "’, " . “’” . add_escape_custom($_POST[‘form_pid’]) . "’, " . “’” . add_escape_custom($_SESSION[‘pid’]) . "’, " . “’” . add_escape_custom($_POST[‘form_title’]) . "’, " . "NOW(), " . “’” . add_escape_custom($_POST[‘form_comments’]) . "’, " . “’” . add_escape_custom($_SESSION[‘providerId’]) . "’, " . “’” . add_escape_custom($event_date) . "’, " . “’” . add_escape_custom(fixDate($_POST[‘form_enddate’])) . "’, " . “’” . add_escape_custom(fixDate(($_POST[‘form_enddate’] ?? ‘’))) . "’, " . “’” . add_escape_custom(($duration * 60)) . "’, " . “’” . ($_POST[‘form_repeat’] ? ‘1’ : ‘0’) . "’, " . “’” . (($_POST[‘form_repeat’] ?? null) ? ‘1’ : ‘0’) . "’, " . “’” . add_escape_custom($recurrspec) . "’, " . “’” . add_escape_custom($starttime) . "’, " . “’” . add_escape_custom($endtime) . "’, " . “’” . add_escape_custom($_POST[‘form_allday’]) . "’, " . “’” . add_escape_custom(($_POST[‘form_allday’] ?? ‘’)) . “’, " . “’” . add_escape_custom($_POST[‘form_apptstatus’]) . “’, " . “’” . add_escape_custom($_POST[‘form_prefcat’]) . “’, " . “’” . add_escape_custom(($_POST[‘form_prefcat’] ?? null)) . “’, " . “’” . add_escape_custom($locationspec) . “’, " . “1, " . “1, " . (int)$_POST[‘facility’] . ")"); // FF stuff “1, " . (int)($_POST[‘facility’] ?? null) . ")"); // FF stuff } // INSERT single } // else - insert } elseif (($_POST[‘form_action’] ?? null) == “delete”) { Expand Down Expand Up @@ -496,7 +514,7 @@ $note .= “. " . xl(“Use Portal Dashboard to confirm with patient.”); $title = xl(“Patient Reminders”); $user = sqlQueryNoLog(“SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($_POST[‘form_provider_ae’])); $rtn = addPnote($_POST[‘form_pid’], $note, 1, 1, $title, $user[‘username’], ‘’, ‘New’); $rtn = addPnote($_SESSION[‘pid’], $note, 1, 1, $title, $user[‘username’], ‘’, ‘New’);
$_SESSION[‘whereto’] = ‘#appointmentcard’; header(‘Location:./home.php’); Expand Down Expand Up @@ -657,12 +675,12 @@ <form method=’post’ name=’theaddform’ id=’theaddform’ action=’add_edit_event_user.php?eid=<?php echo attr_url($eid); ?>’> <div class="col-12"> <input type="hidden” name="form_action” id="form_action” value="” /> <input type=’hidden’ name=’form_title’ id=’form_title’ value=’<?php echo $row[‘pc_catid’] ? attr($row[‘pc_title’]) : xla(“Office Visit”); ?>’ /> <input type=’hidden’ name=’form_apptstatus’ id=’form_apptstatus’ value=’<?php echo $row[‘pc_apptstatus’] ? attr($row[‘pc_apptstatus’]) : “^” ?>’ /> <input type=’hidden’ name=’form_title’ id=’form_title’ value=’<?php echo ($row[‘pc_catid’] ?? ‘’) ? attr($row[‘pc_title’]) : xla(“Office Visit”); ?>’ /> <input type=’hidden’ name=’form_apptstatus’ id=’form_apptstatus’ value=’<?php echo ($row[‘pc_apptstatus’] ?? ‘’) ? attr($row[‘pc_apptstatus’] ?? ‘’) : “^” ?>’ /> <div class="row form-group"> <div class="input-group col-12 col-md-6"> <label class="mr-2” for="form_category"><?php echo xlt(‘Visit’); ?>:</label> <select class="form-control mb-1” onchange=’set_category()' id=’form_category’ name=’form_category’ value=’<?php echo ($row[‘pc_catid’] > “”) ? attr($row[‘pc_catid’]) : '5’; ?>’> <select class="form-control mb-1” onchange=’set_category()' id=’form_category’ name=’form_category’ value=’<?php echo (($row[‘pc_catid’] ?? ‘’) > “”) ? attr($row[‘pc_catid’]) : '5’; ?>’> <?php echo $catoptions ?> </select> </div> Expand All @@ -684,7 +702,7 @@ </div> <div class="input-group"> <label class="mr-2” for="form_duration"><?php echo xlt(‘Duration’); ?></label> <input class="form-control” type=’text’ size=’1’ id=’form_duration’ name=’form_duration’ value=’<?php echo $row[‘pc_duration’] ? ($row[‘pc_duration’] * 1 / 60) : attr($thisduration) ?>’ readonly /> <input class="form-control” type=’text’ size=’1’ id=’form_duration’ name=’form_duration’ value=’<?php echo ($row[‘pc_duration’] ?? ‘’) ? ($row[‘pc_duration’] * 1 / 60) : attr($thisduration) ?>’ readonly /> <span class="input-group-append"> <span class="input-group-text"><?php echo " " . xlt(‘minutes’); ?></span> </span> Expand Down Expand Up @@ -730,7 +748,7 @@ </div> </div> <div class="row input-group my-1"> <?php if ($_GET[‘eid’] && $row[‘pc_apptstatus’] !== ‘x’) { ?> <?php if (($_GET[‘eid’] ?? null) && $row[‘pc_apptstatus’] !== ‘x’) { ?> <input type=’button’ id=’form_cancel’ class=’btn btn-danger’ onsubmit=’return false’ value=’<?php echo xla(‘Cancel Appointment’); ?>’ onclick="cancel_appointment()" /> <?php } ?> <input type=’button’ name=’form_save’ class=’btn btn-success’ onsubmit=’return false’ value=’<?php echo xla(‘Save’); ?>’ onclick="validate()" /> Expand Down